Monday, May 31, 2010

Canada has no official coordinated cyberattack response strategy

Risk of cyber-attacks growing: CSIS memo

A secret memo from the Canadian Security Intelligence Service (CSIS) warns that the risk of cyberoffensives against government, university, and industrial computer systems has grown significantly over the past year.

"In addition to being virtually unattributable, these remotely operated attacks offer a productive, secure, and low-risk means to conduct espionage," the memo says. Canadian government officials say they are developing a framework to manage cyberattacks, yet Canada still has no official coordinated cyberattack response strategy.

Meanwhile, a report from the University of Toronto's Citizen Lab, the SecDev Group, and U.S. researchers from the Shadowserver Foundation emphasizes that the federal government must take urgent action or risk being targeted by hackers who steal sensitive information using social media. However, University of Calgary computer science professor John Aycock warns that the Internet's design makes it difficult to provide complete security. "It's not designed to be able to track people back," Aycock says. "There is no one cure-all."

refer here to read more details.

Saturday, May 29, 2010

Scientist Infects Himself With Computer Virus

Hacking the Human Body

University of Reading scientist Mark Gasson has deliberately infected himself with a computer virus in order to study the potential risks of implanting electronic devices in humans. Gasson implanted a radio frequency identification chip into his left hand last year.

The chip, which is about the size of a grain of rice, gives him secure access to Reading's buildings and his mobile phone. Gasson then introduced a computer virus into the chip. He says the infected microchip contaminated the system that was used to communicate with it, and notes that it would have infected any other devices it was connected to.

Gasson says the experiment provides a "glimpse at the problems of tomorrow," considering devices such as heart pacemakers and cochlear implants are essentially mini-computers that communicate, store, and manipulate data. "This means that, like mainstream computers, they can be infected by viruses and the technology will need to keep pace with this so that implants, including medical devices, can be safely used in the future," he says.

here to read more details --May Require Free Registration

Thursday, May 27, 2010

How to manage security risk in IT Supply Chain

10 Tips for IT Supply Chain Security and Risk Management
  1. If clients or partners ask you to fill out a questionnaire that includes sensitive information about how you secure their data, make sure you ask them for the same or allow them to view the information onsite only, at your premises. This ensures that your sensitive security information is cared for properly in its environment.
  2. Always include a right-to-audit statement in your contracts with vendors and partners that allows you to perform security audits of their environments with limited or no notice.
  3. When utilizing custom-code development services, make sure you have the source code reviewed by a reputable third party or use source-code scanning tools to ensure that bugs and security vulnerabilities are exposed and remediated prior to acceptance and implementation.
  4. Ensure you have at least two vendors who can provide the same quality and quantity of IT services for critical IT functions that you outsource to ensure redundancy in the case of a failure of any one vendor.
  5. Develop and maintain business process maps, which detail all IT supply chain dependencies and requirements for key business processes.
  6. Conduct random security audits of vendor’s facilities and capabilities at least once per year.
  7. Categorize your vendors based on the level of access to sensitive materials they work with or access, and apply controls and oversight based on this categorization.
  8. Meet with vendors in your IT supply chain at least once per year to brief them on your policies, requirements and expectations of how they will secure your information.
  9. Develop an information security intelligence sharing network among the vendors in your IT supply chain to share insights and information on a regular basis.
  10. Establish and monitor key performance indicators and thresholds for these indicators for key IT business processes that utilize third-party capabilities to provide intelligence about the health and safety of your IT supply chain.
Source from John P. Pironti, CISA, CISM, CGEIT, ISSAP, ISSMP, is the president of IP Architects LLC.

Tuesday, May 25, 2010

Facebook told to set up warning system after new sex scam

Sex-video scam, Facebook users warned

Sophos, a major computer security firm urged Facebook on Tuesday to set up an early-warning system after hundreds of thousands of users were hit by a new wave of fake sex-video attacks.

Sophos warned users of the world's biggest social networking site to be on guard against any posting entitled "distracting beach babes", which contains a movie thumbnail of a bikini-clad woman. In a press statement, Sophos said the malicious posts appear as if they are coming from Facebook users' friends, but it urged recipients not to click on the thumbnail.

By clicking on it, users are taken to a rogue Facebook application informing them that they do not have the right player software installed. It tricks users into installing adware, a software package that automatically plays, displays or downloads advertisements to their computer, and the video link is spread further across the network.

Sophos said that "hundreds of thousands" of Facebook users were believed to have received the posts over the past weekend. It followed a similar scam that spread on Facebook the week before involving a fake posting tagged as the "sexiest video ever".

It's time for Facebook to set up an early warning system on their network, through which they can warn their almost 500 million users about breaking threats as they happen.

A simple message appearing on all users' screens warning them of the outbreak would have helped in halting the attack. Unless something is done, it won't be surprising if there is another widespread attack this coming weekend, affecting thousands more users.

The social networking site is already under fire for revealing users' information too freely on the Internet. Facebook chief executive Mark Zuckerberg said Monday that the website "missed the mark" with its complex privacy controls and would reveal simpler features in the coming weeks.

Saturday, May 22, 2010

Automobiles could be vulnerable to hackers

Cars' Computer Systems Called at Risk to Hackers

Tomorrow's Internet-connected cars could be vulnerable to hackers in the way computers are today, warn researchers at the University of Washington (UW) and the University of California, San Diego (UCSD). During a recent test, the researchers were able to remotely control a car's braking and other functions.

"We demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input--including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on," the researchers write. The researchers were also able to insert malicious software into the car and then erase any evidence of tampering.

"Taken together, ubiquitous computer control, distributed internal connectivity, and telematics interfaces increasingly combine to provide an application software platform for external network access," write the researchers.

Refer here for more details.

Thursday, May 20, 2010

Visa Warns of New Fraud Scheme

Alert to Banks, Processors Describes Bogus Batch Settlement

Banking institutions and payments processors are on heightened alert after notification from Visa that a criminal group plans to execute a large, fraudulent batch settlement scheme.
According to Visa's alert, a copy of which was obtained by Information Security Media Group, the payment card giant has information about criminals who claim to have access to account numbers and the ability to submit a large batch settlement upload to occur over a weekend. (Merchants usually send their credit card transactions by batches at the end of a business day to be settled by the credit card companies and acquiring banks.)

Visa does not have any information as to when the fraudulent settlement activity may occur. The criminals claim to have access to a merchant account placed with a bank in Eastern Europe.

"Although the source of the information is reliable, the information that Visa has received coming forward so far is limited," the alert states. "Visa suspects that this scheme may be linked to a consortium of online merchants that have been trying to secure processing arrangements after being shut down at several acquirers across many geographies."

This alert comes after last year's record-breaking Heartland Payment Systems data breach and other noted incidents, including the Network Solutions breach that involved its merchant client database of more than 4,000 small business accounts.

Once Visa received the information from the third-party source, according to the alert, it immediately implemented monitoring of large settlement activity for banks located in Eastern Europe. Up to now, Visa says it hasn't seen abnormal or large settlement activity. Visa says it is continuing to monitor and will alert any affected Visa clients of abnormal activity, if needed.

Institutions should monitor for large or unusual settlement activity -- particularly during weekends and holidays. They should also closely review settlement and chargeback activity for high risk merchants and agents.

Analyst: Banks Should Be 'Very Concerned'

These types of thefts have been around for a long time, says Gartner analyst Avivah Litan.

"Financial institutions should be very concerned about this alert because they are the ones who get stuck with the bill and the chargebacks once cardholders notice the unauthorized charges. These 'fake' merchants will undoubtedly bail out of the system once they get their money, so the banks don't have a prayer of recovering money from the bad guys.

This type of fraud is likely to continue, as the biggest problem in preventing batch settlement fraud is how merchant accounts get created and underwritten in the first place. "Visa, MasterCard and the acquiring banks need to tighten up their accreditation process and how they onboard new merchants. There are too many 'third parties' and ISOs in the system, allowing too many illegitimate merchants to establish accounts and access to the payment systems.

Tuesday, May 18, 2010

Innovation comes with a camera that sends details of facial features to data base

Your Face Is All You'll Need at an ATM

Waweru Mwangi, director of the Institute of Computer Science and Information Technology at Kenya's Jomo Kenyatta University, demonstrated his Basic Intelligent Automated Teller Machine at a national scientific conference in Nairobi. The machine uses facial-recognition technology to enable users to conduct financial transactions instead of ATM or debit cards.

Mwangi says that incorporating facial-recognition technology into ATMs makes banking more secure and friendly. "We realized that many people feel uncomfortable with the card, which in some cases is retained by the machine," he says.

The Intelligent ATM features a camera that captures an image of the customer's face and then sends that picture to a database for verification. Once the image is deemed authentic, the customer is prompted to enter a personal identification number or is asked a personal question.

Refer here for more details.

Sunday, May 16, 2010

When Your Trusted Business Partners Are the Threat?

Insider Crimes

Crimes divide into two groups: those committed by people with an individual relationships with an organization, and those with an organizational relationship. Those insiders from organizational relationships committed more insider fraud and were after financial gain. Sabotage was most often perpetrated by insiders who had individual relationships with an organization.

Organizational Relationships

Insiders with organizational relationships are typically in non-technical positions and have authorized access to those databases that they use to do their work. For these perpetrators, the crime is usually done at the business location -- most commonly fraud. Typically, there is more money associated with these relationships and so there is a greater motivation for fraud.

Individual Relationships

Insiders with individual relationships generally hold positions that are technical in nature, system administrators and the like. Their insider crimes utilize unauthorized access to the organization's systems.

The typical consultant or contractor individual insider gets mad, they were released from their relationship with the institution, they were fired, or maybe their contract expired, and this upsets them. The individual insider uses their technical knowledge to cause damage to the systems, either by planting a logic bomb or installing back doors before they were forced to leave, so they can come back afterward to perpetrate damage.

The individual insider typically attacks from a remote location, using the back doors they installed before leaving. There are many different ways they can damage an organization, destroying data on databases -- they can do real harm to the organization.

Another area of growing concern is the theft of intellectual property (IP). Where IP is concerned, client lists and databases are taken shortly before the insider leaves. IP data is usually taken within a month of the employee leaving. So monitoring what they downloaded, emailed or printed out during their final days may uncover what they have taken with them.

Other types of valuable IP for financial services firms could be proprietary software code used to run a trading platform, as well as trading algorithms.

Cracking Down on Crime

How to prevent insider crimes by trusted business partners? Having clear contractual measures drawn up can help set new standards of doing business with the institution, including some of the security requirements. This is especially key when dealing with global partners.

In many instances the overseas contractor and consultants aren't as security-conscious as an institution would like them to be. The stronger one can make the contractual agreement that holds the trusted business partner to strict security controls, the better the opportunity to keep possible insiders from doing harm.

Screen Employees -- It doesn't have to be DOD level clearance, but a screening of personnel should be required. In one case, CMU's research found where a person who had a criminal record was handling data as a trusted business partner's employee.

Reinforce Policies -- Security procedures and policies should be at least at the same level of the institution, and all employees should be aware and comfortable using them.

Monitor Exits -- Termination policies of the trusted business partners should be scrutinized and strengthened, if need. Moore says in many cases of sabotage, the insider was getting back into the organization's networks via backdoors installed on servers, causing damage, often without the business contractor knowing they had access. If the trusted business partner isn't tracking access of its employees, it won't be able to disable it when the employee leaves the company. Reviewing logs upon an employee's departure may help spot where a back door was installed on a system, most of the sabotage events are done within a month of an employee's termination or resignation.

Enforce Separation - insiders can't do fraud if someone else is doing part of the work. For critical transactions, a system of checks and balances should be a familiar process for institutions. People who are entering transactions shouldn't be able to approve them, too.

Measure Access -- Be able to monitor the intellectual property to which employees and business partners have access. Go with the least privilege access level, give only what they need in order to do their job.

Friday, May 14, 2010

Improved Online Security for a Tenth of the Cost

Leak-proof error correction-based protocol to ensure integrity

Computer scientists in the United Kingdom are developing a system that would offer a high level of security at one-tenth the cost of existing systems that use special quantum technology. The fiber-optics system would offer security to two online users by broadcasting a continuous stream of information around the communication loop.

Access to the information would be limited to users who have a secret key. "It is like using background noise to allow two users to share a secret that no one else knows," says University of Hertfordshire professor Bruce Christianson. The fiber-optics system uses a leak-proof error correction-based protocol to ensure integrity.

"Various people have proposed similar ideas in the past, but our system has introduced a novel error correcting scheme, which means we can use cheap fiber-optics technology and make it work at amazingly high transmission rates," Christianson notes.

Refer here for more details.

Tuesday, May 11, 2010

Cyberattack on Google Said to Hit Password System

Intruders do not appear to have stolen passwords of Gmail users

The cyberattack against Google's computer networks, first disclosed in January, also reportedly breached the company's password system, called Gaia, which controls user access to almost all of its Web services.

Although the hackers do not appear to have stolen the passwords of Gmail users, the Gaia breach leaves open the possibility that hackers may find other unknown security weaknesses. The intruders were able to gain control of a software depository used by the Google development team by luring an employee to a poisoned Web site through a link in an instant message.

"If you can get to the software repository where the bugs are housed before they are patched, that's the pot of gold at the end of the rainbow," says McAfee's George Kurtz. An attacker looking for weaknesses in the system could benefit from understanding the algorithms on which the software is based, says Neustar's Rodney Joffe.

Google still uses the Gaia system, although now it is called Google Sign-On. Soon after the intrusion, Google activated a new layer of encryption for its Gmail service. The company also tightened the security of its data centers and further secured the communications links between its services and the computers of its users.

Refer here to read more details.

Friday, May 7, 2010

New Computer Interface Goes Beyond Just Touch

Manual Deskterity combines a touch with the trusty pen

Microsoft researchers have developed Manual Deskterity, a computer interface that combines touch input with the precision of a pen. The prototype drafting application, designed for the Microsoft Surface tabletop touchscreen, enables users to perform touch actions such as zooming in and out and manipulating images, but they also can use a pen to draw or annotate those images.

Manual Deskterity also allows users to touch an image onscreen with one hand while using the pen in the other hand to take notes or perform other actions that pertain to that object. Users need to learn more tricks to use Manual Deskterity, but the natural user interface should ease the learning curve by engaging muscle memory.

"This idea that people just walk up with an expectation of how a [natural user interface] should work is a myth," says Microsoft research scientist Ken Hinckley. The researchers also plan to adapt the interface for use with mobile devices. Incorporating only touch input into devices is a mistake, according to Hinckley, who believes that pen and touch interactions can complement each other.

Refer here for more details.

Wednesday, May 5, 2010

Putting the Touch Into Touchscreens

How a person's brain interprets the sense of touch?

Researchers are studying new haptics technologies and how a person's brain interprets the sense of touch. For example, Marie Curie University researchers are developing a system that uses surface vibrations to generate sensations of texture. By changing the frequencies of the vibration, the researchers are able to make the surface feel rougher or smoother.

Meanwhile, Mexican computer engineer Gabriel Robles De La Torre is using vibrating surfaces to simulate sensations of sharpness by using motors to create lateral movement to a smooth, flat surface. The technique produces a change in the resistance a user's finger feels as it moves across a certain part of the screen, which is perceived as a sharp edge. Northwestern University engineer Ed Colgate is using vibrations to make objects feel more slippery. His system vibrates their surface at a very high frequency with an amplitude of about two micrometers.

University of Exeter's Ian Summers uses a force-feedback system featuring pressure-sensitive nerves instead of stretch-sensitive ones. The system is able to simulate the feel of several materials. And McGill University's Yon Visell has developed a novel surface designed to simulate walking on different types of ground, such as solid ground, gravel, or sand.

Refer here to read more details.

Monday, May 3, 2010

How to Respond to Vishing Attacks

Tips for Incident Response Plan

Vishing is a form of phishing, where instead of people receiving an email trying to lure them into giving personal information, the criminal uses a phone call, either live or automated, to attack the bank or credit union customer and get critical information. (Here is an actual vishing attempt recorded by one institution.) In response to this spree of attacks, banking/security leaders from one of the impacted states have put together a vishing incident response plan for financial institutions.

Vishing Incident Response Plan

1 - Set Procedures to Report Calls

Have procedure for employees to report at the time of first (and subsequent) notification. This should include:

  • information on originating phone number (if known);
  • any pertinent details of phone conversation or recorded message;
  • what information was solicited (account numbers, debit card information)?
  • did customer give out information and, if so, was account closed or debit card inactivated?
  • what was the callback number if the customer was directed to return a call?
  • was the call made to your customer's cell phone or a landline?
  • if the call was to a cell, who was the carrier (eg ATT, Optus, Telstra)?
2 - Alert Customers

Notify customers as soon as you see a pattern of calls. Specifically:
  • Explain phone phishing (vishing) and text message phishing (smishing) to customers reporting calls. Have a script ready for your call center staff to refer to that describes what it is, and actions that the customer needs to take when they receive such calls.

  • Consider initiating a news article in your local paper or other media. This article needs to make clear that your bank is protecting customers with this information, and you have not suffered a breach. Non-customers will also be getting these calls, and that is proof that the calls are randomly generated to your area and not the result of any breach. This is a great time to reinforce that you will never call, email, or text to have your customer provide an account number or debit card information, as you already have that information available.

    Encourage anyone receiving these calls to hang up and call their financial institution directly on a number that they obtain themselves. Also provide a reminder that any caller ID is easily "spoofed." Fraudsters can put in the number of any financial institution with a spoofing system and that will be displayed on the customer's phone.

  • Place a banner with news of vishing attempts on your web page to let customers know that it is occurring in your area and you are protecting them through the notification. Consider adding signage and posters for drive-throughs and lobby areas to alert customers to the scam.
3 - Run Down the Source
  • Identify the area code(s) on calls of origination and lines that customers are requested to call (simply Google the area code, "XXX area code").

  • If the calls appear to be generated in the U.S., contact your local FBI office and ask for their cybercrime specialists or white collar crime division, which will handle bank fraud. They can help to get the phone line shut down immediately. You will also want to contact your local law enforcement contacts to alert them to the scam because consumers will be calling them to report the attempts.

  • If the calls are Canadian-based, contact the PhoneBusters in Ontario. This is the Canadian Anti-Fraud Call Center and is staffed by the Royal Canadian Mounted Police. They can be reached at or 888-495-8501. They can assist in shutting down Canadian lines and will provide you with a reference number on your case in the event you secure additional information to report to them.

  • If the calls are Australian-based, contact your local police station with all the relevant details.
4 - Notify Telecomm Carriers

Lamb of Central National Bank in Enid, OK, has compiled a list of email addresses and a sample email that he uses to get lines shut down.

Email addresses: ''; ''; ''; ''; ''; ''; ''; ''; ''; ''; ''.

Samples email text: Fraudulent Text messages are being sent to cell phones in Northeastern Oklahoma: "This is an automated message from XXXX National bank. Your ATM card has been suspended. To reactivate call urgent at 18775895978." This is an IVR that attempts to get card numbers and PINs. If this 877 number is yours please shut it down, if not please forward to the responsible organization.

The words "Criminal Activity" in the subject line help get faster responses.

5 - Make Customer Education a Priority

Keep the educational awareness of these types of scams in front of your customers by adding sections on the institution's webpage about the types of crimes that may happen. Add the same messages to your statement stuffers, call waiting feature and newsletters for added impact. Also be sure to tell your customers that no one will ever call them from the institution, soliciting information from them. Always remind your customers to alert you when they receive a call, text, or email from your institution that doesn't seem right